CISA Certified Information Systems Auditor Questions and Answers

No periodic assessments to identify threats and vulnerabilities

No dedicated security officer

No employee awareness training and education program

No official charter for the information security management system

To provide a failover plan in case of system Issues.

To validate the operation of the new system against its predecessor.

To verify the new system can process the production load

To verify the new system provides required business functionality

The complexity level of the audit procedure

The criticality of IT processes for the business function

Process owner availability during the audit

The number of audit team members required for the task

The duster agent software used is open source

Some of the nodes are located in the same city.

Adequate storage exists across all nodes.

Network encryption exists between nodes

Include usage restrictions for smart devices in the security procedures.

Require employees to formally acknowledge security procedures.

Review the access logs to the organization's sensitive data in a timely manner.

Enforce strong security settings on smart devices.

reputation

data incompleteness

data incompleteness

lack of data integrity

Develop a privacy notice to be displayed to shoppers

Mask media access control (MAC) addresses

Conduct a privacy impact assessment

Survey shoppers for feedback

KPls are reviewed on a periodic basis.

All relevant parties are involved in the design of KPls

KPls are communicated lo stakeholders

IT KPls include business metrics

Enforcement of an internal data access policy

Application of single sign-on for access control

Enforcement of the use of digital signatures

Implementation of segregation of duties

exit criteria

stress testing.

stopping criteria

entry criteria

Mandatory holidays

Background checks

Transaction log review

User awareness training

transaction tagging

parallel simulation.

integrated test facility (ITF)

embedded audit modules.

Update the risk assessment to include the new system.

Contract with a third party to conduct an audit of the new system.

Maintain the plan with no changes and perform a separate review of the new system

Update the audit plan to include the new system

completeness of user documentation.

integrity of key calculations.

effectiveness of user training.

change requests initiated after go-live.

The migration was not approved by the board of directors.

Training for staff with new virtualization responsibilities has not been conducted.

Role descriptions do not accurately reflect new virtualization responsibilities.

A post-implementation review of the hypervisor has not yet been conducted.

Correlation between data errors and loss in value of transaction

Correlation between the number of issues and average downtime

Cost of implementing data validation controls within the system

Comparison of the cost of data acquisition and loss in sales revenue

IT projects are delivered on time and under budget

Management is aware of IT-related risks.

Employees understand roles and responsibilities

Reporting and metrics become higher priority.

Lack of scalability

Reduced performance

Disclosure of data

Inflexibility

required sample size increases.

sampling risk decreases.

degree of assurance increases.

standard deviation decreases.

Trace the attacking route.

Replicate the attack using the remaining evidence.

Take a system image including memory dump.

Safely shut down the server.

Attend project progress meetings to monitor timely implementation of the application.

Assist users in the design of proper acceptance-testing procedures.

Follow up with project sponsor for project's budgets and actual costs.

Review functional design to determine that appropriate controls are planned.

inform senior management in writing and proceed with the audit

inform audit management of the situation.

proceed with the audit as planned after documenting the incident.

obtain the auditee s approval before continuing the audit.

Evaluate configuration settings for transactions requiring customer identification.

Review the business requirements document for customer identification requirements.

Review transactions completed for one period that have blank customer identification fields.

Attempt to complete a monetary transaction and leave the customer identification fields blank.

First use a symmetric algorithm for the authentication sequence.

encrypt the authentication sequence using a public key.

transmit the actual digital signature in unencrypted clear text.

encrypt the authentication sequence using a private key.

Risk register

IT service management plan

Continuous audit reports

IT dashboard

Examine the computer to search for evidence supporting the suspicions.

Notify local law enforcement of the potential crime before further investigation.

Advise management of the crime after the investigation.

Contact the incident response team to conduct an investigation.

Cost-benefit comparison between the available systems

High availability of different systems

Transaction volume estimate during peak periods

Reputation of the vendors and their customer base

Evaluate control gaps between the old and the new processes.

Develop compensating controls.

Document the impact of control weaknesses in the process.

Ensure that lessons learned during the change process are documented.

document the conflict in the audit report.

decline the audit assignment.

communicate the conflict of interest to the audit manager prior to starting the assignment.

communicate the conflict of interest to the audit committee prior to starting the assignment

Review system documentation to ensure completeness.

Ensure that a detection system designed to verify transaction accuracy is included.

Review input and output control reports to verify the accuracy of the system decisions.

Review signed approvals to ensure responsibilities for decisions of the system are welldefined.

retention.

completeness.

availability.

confidentiality.

False-identification rate (FIR)

Equal-error rate (EER)

False-rejection rate (FRR)

False-acceptance rate (FAR)

Logical relationship check

Table look-ups

Existence check

Referential integrity

Monitor activities of the associated IT staff members by reviewing system-generated logs weekly.

Request funding to hire additional IT staff to enable segregation of duties.

Remove some of the administrative access of the associated IT staff members.

Leverage business unit personnel to serve as administrators of the application.

Assign roles and responsibilities

Comply with policies and procedures.

Provide substantial audit-trail evidence.

Manage impact due to breaches.

operations component of the business continuity plan (BCP).

enterprise risk management plan.

balanced scorecard.

business impact analysis (BIA).

Prevention

Inherent

Detection

Control

Confidential information leakage

Unauthorized access to the systems

Loss of integrity and corruption of databases

Loss of reputation and business

Gap analysis

Business impact analysis (BIA)

Qualitative risk analysis

Root cause analysis

A comprehensive asset inventory

A tested incident response plan

An approved patching policy

A robust tabletop exercise plan

The audit team is not sufficiently leveraging data analytics.

Audit reports are not approved by the audit committee.

Audit reports do not state they are conducted in accordance with industry standards.

Audit engagements are not risk-based.

Detective

Corrective

Directive

Preventive

Software as a Service (SaaS)

Database as a Service (DbaaS)

Infrastructure as a Service (laaS)

Platform as a Service (PaaS)

Compare the current configuration to the corporate standard

Consult with the vendor of the system

Compare the current configuration to the default configuration

Consult with the systems programmer

Update the acceptable use policy for mobile devices.

Encrypt data between corporate gateway and devices.

Notify employees to set passwords to a specified length

Apply security policy to the mobile devices.

Application interfaces

Scope creep

System documentation

Currency conversion

Setting up an IT governance framework for the process

Conducting a business impact analysis (BIA)

Measuring IT governance key performance indicators (KPIs)

Preparing a statement of sensitivity

Exclude recent regulatory changes from the audit scope

Discuss potential regulatory issues with the legal department

Ask management why the regulatory changes have not been included

Report the missing regulatory updates to the chief information officer (CIO)

Determine the inherent risk related to each system.

Determine the number of samples to be tested for each system.

Assess the control risk associated with each system.

Identify the technical skills and resources needed to audit each system.

Real-time audit software

Performance data

Quality assurance (QA) reviews

Participative management techniques

Responsibilities are not property defined.

Recovery time objectives (RTOs) are not correctly determined.

Key performance indicators (KPIs) are not aligned.

Critical business applications are not covered.

Unauthorized changes can be moved into production.

Changes are applied to the wrong version of production source libraries.

Production source and object libraries may not be synchronized.

Programs are not approved before production source libraries are updated.

Delete user IDs at a predetermined date after their creation.

Automatically delete user IDs after they are unused for a predetermined time.

Implement an automated interface with the organization’s human resources system.

Require local supervisors to initiate connection.

Backups may require excessive storage space.

Implementation could cause significant cost increases.

Archived data may not satisfy data retention requirements.

A single disaster could cause significant data loss

Documented policies

Strong risk management practices

Internal auditor commitment

Supportive corporate culture

Data tokenization

Data abstraction

Data masking

Data encryption

Purchase commitments are made prior to requisitions being approved.

Requisitions are being facilitated by a third-party procurement service.

Requisitions are being processed by the finance team.

The purchase requester receives notifications of goods delivery.

Configuration management

Release management

Capacity management

Patch management

Ensure the source code remains available.

Protect the organization from copyright disputes.

Segregate system development and live environments.

Ensure source code changes are recorded.

Complexity of business processes identified in the audit

Peak activity periods for the business

Remediation dates included m management responses

Availability of IS audit resources

notify management.

document the finding in the report

redesign the customer order process.

suspend credit card processing.

Annual tabletop exercises are performed instead of functional incident response exercises.

Roles for computer emergency response learn (CERT) members have not been formally documented.

Workstation antivirus software alerts are not regularly reviewed.

Guidelines for prioritizing incidents have not been identified.

it represents a single point of failure

segregation of duties is not observed.

it is not feasible to implement

access logs may not be maintained

Data validation is provided by the service provider.

Contracts with the vendors are simplified.

Multiple inputs of the same document are allowed at different locations.

Transcription of information is reduced.

Corrosion

Static electricity

Brownout

Fire

informal management approval to 90 live

Lack of a rollback strategy for the system go-live

Plans to use some workarounds for an extended period after go-live

incomplete test cases for some critical reports

Follow back-out procedures

Troubleshoot the system and fix the issue.

Run system diagnostics on the staging servers.

Document the calls and user issues.

File layouts

System/process flowchart

Source code documentation

Data architecture

Control over IS infrastructure expenditure

A comprehensive IS applications architecture

Documented emergency change procedures

An independent audit of the process

Reduction in security threats

Opportunity for frequent reassessment of incidents

Reduction in the business impact of incidents

Reduction of cost by the efficient use of resources

All documents have been reviewed by end users.

All inputs and outputs for potential actions are included.

Both successful and failed interface data transfers are recorded.

Failed interface data transfers prevent subsequent processes.

Evaluating the performance of the payroll system using benchmarking software

Testing hours reported on time sheets

Performing penetration attempts on the payroll system

Performing reasonableness tests by multiplying the number of employees by the average wage rate

Input validation checks

Table partitioning

Table indexes

Referential integrity

Approving the design of controls for the data center

Performing independent reviews of responsible parties engaged in the project

Shortlisting vendors to perform renovations

Ensuring the project progresses as scheduled and milestones are achieved

Established criteria exist for accepting and approving risk.

Identified risk is reported into the organization’s risk committee.

Potential impact and likelihood is adequately documented.

A communication plan exists for informing parties impacted by the risk.

The Implementation of a security awareness.

System administration can be better managed.

Administrative security can be provided for the client.

Desktop application software will never have to be upgraded.

Business interruption due to remediation

IT budgeting constraints

Risk rating of original findings

Availability of responsible IT personnel

the IT governance framework.

the IT processes and procedures.

Information security procedures.

the most recent audit results.

Full test of computer operations at an emergency site

Paper test involving functional areas

Benchmarking the plan against similar organizations

Walk-through of the plan with technology suppliers

Regulatory requirements regarding the location of data

Adherence to industry standards for ensuring integrity of data

The vendor's ability to meet established service level agreements (SLAs)

Existence of a right-to-audit clause in the vendor agreement

Misconfiguration and missing updates

Malicious software and spyware

Zero-day vulnerabilities

Security design flaws

review reciprocal agreements

review logical access controls

evaluate physical access control

analyze system restoration procedures

Audit logs are not enabled on the server.

The server is outside the domain.

The server's operating system is outdated.

Most suspicious activities were created by system IDs.

Legal and compliance requirements

Customer agreements

Organizational policies and procedures

Data classification

Restricting edit access for the new tool to data owners only

Ensuring data quality at the point of data entry

Requiring key inventory data points to be mandatory fields in the new tool

Conducting a post-migration quality assurance review

Prototyping

Iterative development process

Object-oriented system development

Waterfall development process

Association analysis

Classification analysis

Anomaly detection analysis

Regression analysis

Data integrity

Speed of recovery

Time to recognition

Impact on business

User acceptance testing (UAT) results

Quality assurance (QA) results

Integration testing results

Sign-off from senior management

Conduct a privacy impact assessment to identify gaps

Declassify information based on revised information classification labels.

Mandate training on the new privacy regulations.

Perform a data discovery exercise to identify all personal data

Ask the service provider for an independent audit report covering the subservice organization's data center

Ask the service provider for a copy of the subservice organization's data center physical security policy

Engage a third party to audit physical access controls at the subservice Organization

Visit the data center and perform testing over physical access controls at the 'service organization

Critical business assets have additional controls.

The risk register is reviewed periodically.

A business impact analysis (BIA) has been completed.

The inventory of IT assets includes asset classification.

Whether follow-up procedures would determine if identified risks have been mitigated

Whether the auditee has allotted sufficient time for the follow-up

Whether management has determined if risk is within the organization's risk appetite

Whether the organization has sufficient funds to address the issue

Optimize business process designs

Validate compliance with applicable local financial regulations.

Define the organization's control objectives.

Appoint an independent risk advisory firm to provide support.

Identify and periodically remove sensitive data that is no longer needed

Look continually for new criminal behavior and attacks on sensitive data

Encrypt sensitive data while strengthening the system

Establish a clear policy related to security and the handling of sensitive data

recommend drafting a service level agreement (SLA)

determine the Impact of the issue

report the issue to senior management

document the issue in the final report

After the requirements phase

Just before a major release

Parallel to the development activity

At the end of development

Record the observation in the workpapers.

Take no action as this issue is outside the audit scope.

Include the finding with recommendations in the final report.

Expand the audit scope to include desktop audits.

benefits realization has been evidenced

there are unresolved high-risk items

the project adhered to the budget and target date.

users were involved in the quality assurance (QA) testing.

on a continual basis.

within the first few months of employment.

before access to information is granted.

whenever security policies are updated.

Mandatory information security awareness training

Senior management commitment to information security initiatives

Implementation of industry-standard information security tools

Adequate budget to support the information security strategy

Short key length

Random key generation

Use of asymmetric encryption

Use of symmetric encrypt

To comply with organization polices

To prevent users from installing unlicensed software

To reduce exposure to security risk

To reduce unnecessary downtime

identification of IT resources that support key business processes

Recovery strategy for significant business interruptions

Support documentation for the recovery alternative

Roles and responsibilities for the business continuity process

Preventive

Detective

Corrective

Compensating

Stratified sampling

Haphazard sampling

Quota sampling

Judgmental sampling

Configure the servers from an approved standard configuration

Require all employees to attend training for secure configuration management

Have a third party configure the virtual servers

Configure the intrusion prevention system (IPS) to identify DNS attacks

Virtual backup

Real-time backup

Full backup

backup Differential